-
Notifications
You must be signed in to change notification settings - Fork 366
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Store cluster's Service CIDR to Multi-cluster Gateway's fields #4737
Conversation
a30d513
to
f19be84
Compare
f19be84
to
d6352b0
Compare
oldGateway := gatewayList.Items[0] | ||
if oldGateway.ServiceCIDR != gateway.ServiceCIDR { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is not correct, you should compare the req.OldObject and req.Object's ServiceCIDR instead of comparing gatewayList.Items[0]'s CIDR with current Gateway's.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@luolanzone : I do not understand why we need these checks if Gateway is created by MC Controller. The webhook is generally for validating user intents?
If the goal is to prevent users from modifying the object, we should just check that, and ideally override user changes at controller restart.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I think the purpose is to prevent users to modify the field. @jianjuns do you mean not to add validation on webhook but check the field and override the change in node_controller?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ideally MC Controller should check and override changes. But first it makes no sense to validate particular fields here. If we want to prevent modification from users, can we just check the identity?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point, @hjiajing could you refine this part? Thanks.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure, I will refine this part.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Now the controller will check the SA if the verb is "update"
multicluster/controllers/multicluster/member/node_controller.go
Outdated
Show resolved
Hide resolved
multicluster/controllers/multicluster/member/gateway_controller.go
Outdated
Show resolved
Hide resolved
@hjiajing please add commit message to your commit to clarify the change. |
d6352b0
to
f343578
Compare
@luolanzone Added, thanks for the reminder. |
9152047
to
999a16d
Compare
klog.ErrorS(err, "Error getting ServiceAccount name", "Gateway", req.Namespace+"/"+req.Name) | ||
return admission.Errored(http.StatusBadRequest, err) | ||
} | ||
if saName != mcControllerSAName && isServiceCIDRChanged(oldGateway, gateway) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Again, no need to check individual fields. Just check only MC Controller can update the Gateway spec.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done. Removed the field check.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I probably approved the PR by mistake. Please ignore that.
@@ -116,12 +119,16 @@ func (r *NodeReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl. | |||
var isValidGateway bool | |||
|
|||
if stillGatewayNode { | |||
gw.ServiceCIDR, err = r.getServiceCIDR() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should discover ServiceCIDR in NewNodeReconciler() or maybe SetupWithManager(). @luolanzone?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A NodeReconciler without ServiceCIDR
is invalid, it does not make sense to reconcile gateways, so I moved the getServiceCIDR
step to SetupWithManager
func.
multicluster/controllers/multicluster/member/gateway_controller.go
Outdated
Show resolved
Hide resolved
1d39bac
to
f55c326
Compare
return admission.Errored(http.StatusBadRequest, err) | ||
} | ||
if saName != mcControllerSAName { | ||
return admission.Errored(http.StatusPreconditionFailed, fmt.Errorf("ServiceCIDR can only be updated by Antrea Multi-cluster Controller")) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You are not comparing ServiceCIDR
, so better to say Gateway can only be updated by Antrea Multi-cluster Controller
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed. Removed the ServiceAccount to the above of the Operation check. Now only SA is "antrea-mc-controller" could create or update Gateway.
multicluster/controllers/multicluster/member/node_controller.go
Outdated
Show resolved
Hide resolved
77356b3
to
92359f2
Compare
klog.ErrorS(err, "Error getting ServiceAccount name", "Gateway", req.Namespace+"/"+req.Name) | ||
return admission.Errored(http.StatusBadRequest, err) | ||
} | ||
if saName != mcControllerSAName { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should at least allow other users to get Gateway right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We defined a Gateway webhook to validate the operation for CREATE/UPDATE, it has no impact to GET
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
An operation check is added above the SA check. Now only "antrea-mc-controller" could update or create Gateways, but other users could also get Gateways. Two more unit test cases were added.
} | ||
if saName != mcControllerSAName { | ||
return admission.Errored(http.StatusPreconditionFailed, fmt.Errorf("Gateway can only be created or updated by Antrea Multi-cluster Controller")) | ||
} | ||
// Check if there is any existing Gateway. | ||
gatewayList := &mcv1alpha1.GatewayList{} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we check only MC Controller can create Gateways, even this check is not necessary? @luolanzone
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I feel we can remove this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The "unique Gateway" check is removed, as well as the unit test.
533934c
to
0a044ac
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM overall, one nit.
In order to keep Service CIDR in antrea-mc-controller and antrea-agent consistent, the node controller will store the Service CIDR to Gateway's field. When the Service CIDR is used in antrea-agent, controllers could get the Service CIDR in Multi-cluster Gateway. Signed-off-by: hjiajing <hjiajing@vmware.com>
0a044ac
to
3ea1da6
Compare
/test-multicluster-e2e |
In order to keep Service CIDR in antrea-mc-controller and antrea-agent consistent, the node controller will store the Service CIDR to Gateway's field. When the Service CIDR is used in antrea-agent, controllers could get the Service CIDR in Multi-cluster Gateway. Signed-off-by: hjiajing <hjiajing@vmware.com>
Add a new field named
serviceCIDR
to store the local cluster Service CIDR in Multi-cluster Gateway. So that theantrea-agent
could get the Service CIDR from a Gateway, which makes the Service CIDR inantrea-agent
andantrea-mc-controller
consistent.